From 910efe277f7dacadab9a8517e5b87b2be878a377 Mon Sep 17 00:00:00 2001
From: Chris Buechler <cmb@pfsense.org>
Date: Sun, 5 Apr 2009 22:20:53 -0400
Subject: Block all IPv6 traffic by default, since IPv6 isn't supported, there
 isn't any way to add such rules in the GUI, and nearly all users won't want
 IPv6 to traverse their firewall at this point. Add "Allow IPv6" checkbox to
 disable this behavior.

---
 usr/local/www/system_advanced_firewall.php | 18 +++++++++++++++++-
 usr/local/www/system_advanced_network.php  | 16 ++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

(limited to 'usr')

diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php
index 770634e..74287b8 100644
--- a/usr/local/www/system_advanced_firewall.php
+++ b/usr/local/www/system_advanced_firewall.php
@@ -54,6 +54,7 @@ $pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
 $pconfig['reflectiontimeout'] = $config['system']['reflectiontimeout'];
 $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
 $pconfig['disablescrub'] = isset($config['system']['disablescrub']);
+$pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
 
 if ($_POST) {
 
@@ -116,6 +117,11 @@ if ($_POST) {
 		else
 			unset($config['system']['disablescrub']);
 
+                if($_POST['ipv6allow'] == "yes")
+                    $config['system']['ipv6allow'] = true;
+                else
+                    unset($config['system']['ipv6allow']);
+                    
 		write_config();
 
 		$retval = 0;
@@ -275,7 +281,17 @@ function update_description(itemnum) {
 							<tr>
 								<td colspan="2" class="list" height="12">&nbsp;</td>
 							</tr>
-	
+							<tr>
+								<td colspan="2" valign="top" class="listtopic">IPv6</td>
+							</tr>		
+							<tr>
+								<td width="22%" valign="top" class="vncell">Allow IPv6</td>
+								<td width="78%" class="vtable">
+									<input name="ipv6allow" type="checkbox" id="ipv6allow" value="yes" <?php if (isset($config['system']['ipv6allow'])) echo "checked"; ?> />
+									<strong>Allow IPv6</strong>
+                                                                        <br>All IPv6 traffic will be blocked unless this box is checked.
+								</td>
+							</tr>	
 							<?php if($config['interfaces']['lan']): ?>
 							<tr>
 								<td colspan="2" valign="top" class="listtopic">Network Address Translation</td>
diff --git a/usr/local/www/system_advanced_network.php b/usr/local/www/system_advanced_network.php
index 5eaab75..0088caa 100644
--- a/usr/local/www/system_advanced_network.php
+++ b/usr/local/www/system_advanced_network.php
@@ -45,6 +45,7 @@ require("guiconfig.inc");
 
 $pconfig['ipv6nat_enable'] = isset($config['diag']['ipv6nat']['enable']);
 $pconfig['ipv6nat_ipaddr'] = $config['diag']['ipv6nat']['ipaddr'];
+$pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
 $pconfig['polling_enable'] = isset($config['system']['polling']);
 $pconfig['sharednet'] = $config['system']['sharednet'];
 $pconfig['disablechecksumoffloading'] = isset($config['system']['disablechecksumoffloading']);
@@ -72,6 +73,12 @@ if ($_POST) {
 				}
 			}
 		}
+		
+		if($_POST['ipv6allow'] == "yes") {
+		    $config['system']['ipv6allow'] = true;
+		} else {
+		    unset($config['system']['ipv6allow']);
+		}
 
 		if($_POST['sharednet'] == "yes") {
 			$config['system']['sharednet'] = true;
@@ -166,6 +173,15 @@ function enable_change(enable_over) {
 								<td colspan="2" valign="top" class="listtopic">IPv6 Options</td>
 							</tr>
 							<tr>
+								<td width="22%" valign="top" class="vncell">Allow IPv6</td>
+								<td width="78%" class="vtable">
+									<input name="ipv6allow" type="checkbox" id="ipv6allow" value="yes" <?php if ($pconfig['ipv6allow']) echo "checked"; ?> onclick="enable_change(false)" />
+									<strong>Allow IPv6</strong><br/>
+									All IPv6 will be blocked unless this box is checked.<br/>
+									<br/>
+								</td>
+							</tr>
+							<tr>
 								<td width="22%" valign="top" class="vncell">IPv6 over IPv4 Tunneling</td>
 								<td width="78%" class="vtable">
 									<input name="ipv6nat_enable" type="checkbox" id="ipv6nat_enable" value="yes" <?php if ($pconfig['ipv6nat_enable']) echo "checked"; ?> onclick="enable_change(false)" />
-- 
cgit v1.1